All told, remote-access and data-pilfering malware "can monitor running processes, send shell commands, take screenshots, download and run files, and identify front-most window titles," according to an analysis of NetWeird (a.k.a. NetWrdRC) published by Sophos. In addition, it said, the malware can "harvest stored and encrypted usernames and passwords from Opera, Firefox, SeaMonkey, and Thunderbird browsers and mail clients." It's able to infect Apple OS X (versions 10.6 and newer), Linux, Solaris, and Windows systems.

Security researchers have yet to recover the dropper, or installer, used to get the malware onto targeted systems, but once there, the Mac version application has a miniscule footprint--just 77K. Once installed, it attempts to phone home to a command-and-control server in the Netherlands.

But while malware's price point--relative to more established players such as the Zeus financial toolkit or Crisis malware--makes it a bargain, the attack code comes with a catch: it's riddled with amateur errors, making it less a threat to targeted operating systems than your wallet.

Focusing only on the Mac version, the developer's ineptitude includes the placement of the malware application itself, titled "WIFIADAPT.app.app," which shows up in an Apple user's home folder. Next to "Downloads," "Desktop," "Music," and other essential folders, the malware sticks out like a sore thumb.

The malware also lacks any state-of-the-art obfuscation techniques, although "the website for the developers of NetWeirdRC also lists the undetected nature of this tool as a selling point," said Lysa Myers, a security researcher at Intego, in a blog post. But "security through obscurity" is an unreliable proposition, and in the case of the publicity now enjoyed by NetWeird, it's obviously no longer a valid selling point.

NetWeird also has a persistence problem, since thanks to a coding error, malware infections on Macs seem incapable of surviving a reboot. "It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory."

The malware also chokes in the face of new Apple OS X security controls. On any Mac running the latest operating system, Mountain Lion (a.k.a. 10.8), set to default security settings, the malware won't be able to install itself, "because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer," said Ducklin.

"It seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing," he said.

NetWeird also highlights how not every bent developer can double as a botnet-designing whiz kid. "It's interesting to compare and contrast Crisis and NetWeirdRC, as they are both commercially available products. While Crisis is an advanced threat which hides itself reasonably well, NetWeirdRC has a number of glaring issues," said Intego's Myers. "Perhaps the price tag tells us all we need to know: Crisis sells for $250,000, and NetWeirdRC starts at $60."

In another light, NetWeird simply represents criminals trying to out-scam each other. Just as scammers use scareware to socially engineer consumers into paying for products that pretend to rid their PCs of viruses they don't have, some malware developers are now selling bargain-rate, busted Mac botnet toolkits to unsuspecting buyers.

"It would seem that you get what you pay for, even in the malware world," said Myers.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Wow with a price tag of $250,000 I hope that there are some major differences between Crisis and NetWeirdRC. It is interesting to know that it is only effecting older versions of os X. maybe if you were one of the tech savvy kids the author refers to you could tweak the code and make NetWeirdRC more potentially dangerous than the $60 version that is sold. Has anyone used this product and what were the results on the hosts side of things?

Why do the legal authorities allow this type of transaction to take place? This is a product that is being sold to harvest and destroy computers? or to test I.T. infrustructers? Unless I am completely mistaken, that is an Illegal activity, and these people should be thrown in jail. If this is legitamate software for testing I.T. environments, then Extremely tight regulation should be made so the bad guys do not get ahold of it. There should be tight monitoring with software I.D.s, encrypted licenses, locked down code, that identify the owner so the attacker can be found if actually used for Malice.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corrup...

A vulnerability in ReadA version 1.1.0.2 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data.

Stored cross-site scripting (XSS) vulnerability in the &quot;Site Name&quot; field found in the &quot;site&quot; tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php f...

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...